Sentry picture

Massachusetts Data Security Law

Posted by Ken Graf on April 15, 2009

Beginning on May 1st, 2009, all business entities that own, license, store or maintain “Personal Information” regarding a resident of the Commonwealth will have to comply with new, stricter standards regarding the safeguarding of that personal information.

There are a number of requirements listed in the Massachusetts' data security law, including:

Encrypt portable media, such as laptops storing personal data, and all personal data traversing public networks and transmitted wirelessly.

Cut access for all terminated employees.

Discipline violators.

Verify that third-party service providers are in compliance with regulations.

Limit the amount of personal information collected to only what is needed.

Monitor systems for unauthorized access to and use of personal data.

Restrict access to personal data on a need to know basis.

Deploy firewalls, updated patches and anti-virus protections.

Appoint a person to lead the information security program.

Massachusetts Data Security Law follows PCI-DSS

Posted by Ken Graf on April 14, 2009

Payment Card Industry Data Security Standard (PCI-DSS) has received a lot of attention lately. Mainly for organizations that have been seen as compliant yet where still hacked. See how the folowing PCI requirements have influenced Mass 201CMR17.

PCI is giving merchants a compliance blueprint, which includes meeting 6 milestones on the following 12 requirements:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Requirement 5: Use and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Requirement 12: Maintain a policy that addresses information security for employees and contractor.

Share |

Additional Reading